|
Lukas Trejtnar
l.trejtnar at open.ac.uk
Fri Oct 29 09:03:17 EDT 2004
Hi Jorey Thank you for the examples. I tried the latter and it worked exactly as I wanted it to work. I reused this example in the PythonAuthenHandler and it worked fine, also. Great, many thanks. I'm a bit curious if it is possible to use session's native functions for the same functionality instead of a reimplementation of the session's timeout. Thanks, Lukas Jorey Bump wrote: > Jorey Bump wrote: > >> I think we both did. Your session handling code should appear in the >> section that handles successful authentication. Then you need to >> perform the *authorization* step by checking the validity of the >> session. If that test fails, you return apache.HTTP_UNAUTHORIZED (in >> addition to returning it where authentication fails): >> >> if passwd == "spam" and user == "eggs": >> session handling/tests here >> if passed: >> return apache.OK >> else: >> return apache.HTTP_UNAUTHORIZED >> else: >> return apache.HTTP_UNAUTHORIZED >> >> Again, this is untested, and I'm no sessions guru. If I get a chance >> to work up any usable code, I'll post it. > > > It seems that Session.timeout() isn't suitable for tracking inactivity, > it merely imposes a finite lifespan on the session, regardless of last > access (correct me if I'm wrong). Therefore, you need to set session > variables to track time between requests. This isn't too hard. I used > Publisher's builtin authentication instead of PythonAuthenHandler, > because I'm more familiar with it. > > The basic logic is this: > > 1. Set session variables when session is created. > 2. For each request, look at session variables to measure inactivity. > 3. If inactive too long, force user to reauthenticate. > > For the last step, the session may be deleted to force session > initialization code to run again. > > To test the following, open a browser, visit the appropriate URL, > authenticate (user=eggs, pwd=spam), hit refresh a few times, pause > longer than 5 seconds, then hit refresh again. You should be forced to > reauthenticate. > > Tested on: > > Apache 2.0.52 > Python 2.3.4 > mod_python 3.1.3 > > > In httpd.conf: > > <Directory "/usr/local/apache2/htdocs"> > Order allow,deny > Allow from all > SetHandler python-program > PythonHandler mod_python.publisher > PythonDebug On > </Directory> > > > This is hello.py (visit http://localhost/hello.py/say?what=something): > > from mod_python.Session import Session > import time > > # restrict access to this module with basic authentication > __auth_realm__ = "Restricted" > > # allow these users > def __access__(req, user): > if user == "eggs": > return 1 > else: > return 0 > > # check user and password > def __auth__(req, user, passwd): > if user == "eggs" and passwd == "spam": > # user has successfully authenticated > sess = Session(req) > if sess.has_key('max_inactive'): > # this is an existing session > > # check length of inactivity > elapsed = time.time() - sess['last'] > > # reset timer for next request > sess['last'] = time.time() > sess.save() > > # compare elapsed inactivity to maximum allowed > if elapsed > sess['max_inactive']: > # it's been too long > > # uncomment to delete session (optional) > # sess.delete() > > # force user to reauthenticate > return 0 > else: > # still within time limit > req.write("Authorized.\n\n") > > # allow user to continue > return 1 > else: > # this must be a new session, so set session variables > > # set maximum inactivity allowed, in seconds > # use low value for testing > sess['max_inactive'] = 5 > > # initialize timer > sess['last'] = time.time() > > sess.save() > > # do new session stuff here > req.write("Session started.\n\n") > > # allow user to continue > return 1 > else: > # wrong user or password, force user to reauthenticate > return 0 > > def say(req, what="NOTHING"): > # all that, just to see this? > return "I am saying %s." % what > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python >
|